data privacy regulations

Domain knowledge of legal frameworks (e.g., HIPAA, CCPA, GDPR) that define obligations for consent, data subject rights, breach notification, data minimization and protections for personal or health information, and the technical and organizational measures required to achieve and demonstrate compliance.

dataprivacyregulations

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

Must-Read Papers

Most classic and influential ideas
View more

Lawful and Accountable Personal Data Processing with GDPR-based Access and Usage Control in Distributed Systems

Mar 10, 2025
LT
L. Thomas van Binsbergen
🏛️ University of Amsterdam | Leibniz Institute | TNO

This paper addresses the challenges of GDPR compliance, ambiguous accountability, and high manual auditing costs in cross-organizational distributed data processing. Methodologically, it introduces the first automated compliance framework integrating legal expert judgment with formal reasoning: (i) a purpose-limitation–driven GDPR ontology and semantic model; (ii) a novel deep extension of eFLINT and XACML to support legally precise policy modeling and verifiable enforcement; and (iii) an automated normative reasoning engine that generates auditable legality justifications. Contributions include: transparent and accountable data access control; empirical validation across multiple distributed data space prototypes demonstrating completeness of legal argumentation, accuracy of policy enforcement, and seamless system integrability; and significant reduction in organizational compliance overhead and legal risk.

Automated normative reasoning for GDPR compliance in data processing.Formal ontology and semantics for lawful and accountable data handling.Integration of GDPR-based access and usage control in distributed systems.

A Mapping Analysis of Requirements Between the CRA and the GDPR

Mar 03, 2025
JR
Jukka Ruohonen
🏛️ University of Southern Denmark | University of Turku

This paper addresses the regulatory misalignment between the EU’s Cyber Resilience Act (CRA) and the General Data Protection Regulation (GDPR). Using comparative legal analysis, requirements mapping modeling, and normative semantic parsing, it systematically establishes the first structured mapping of their security requirements. The study identifies six shared security requirements—spanning confidentiality, integrity, and availability—and originality distills seven novel core security obligations introduced by the CRA, clarifying how they extend and reconfigure existing compliance frameworks. By bridging a critical gap in requirements engineering driven by regulatory evolution, the work delivers a traceable, actionable cross-regulatory requirements alignment framework. This framework provides theoretical foundations and practical guidance for legally compliant security design across the full lifecycle of secure products.

Analyzes overlaps between CRA and GDPR requirements.Explores impact of new laws on existing legal requirements.Identifies seven new essential CRA cybersecurity requirements.

The European Union general data protection regulation: what it is and what it means

Oct 03, 2025
CJ
Chris Jay Hoofnagle
🏛️ University of California, Berkeley | Tilburg University | Radboud University | University of Amsterdam

This paper examines how the General Data Protection Regulation (GDPR) is reshaping global data governance, focusing on institutional tensions between the GDPR and the 1995 Data Protection Directive as well as U.S. privacy law, and its heterogeneous regulatory impacts across diverse business entities. Method: Drawing on doctrinal legal analysis, comparative law, and policy impact assessment—framed within regulatory mechanism design theory—the study systematically evaluates GDPR’s operational logic and extraterritorial effects. Contribution/Results: The paper proposes a novel information governance paradigm anchored in three pillars: enterprise-level internal control mechanisms, data localization practices, and meaningful human involvement in automated decision-making. It elucidates the GDPR’s structural bias favoring direct-to-consumer firms in compliance efficiency and demonstrates how the regulation is catalyzing a fundamental reconfiguration of data-driven business models under heightened protection standards.

Analyzes GDPR's impact on global data usage practicesCompares GDPR requirements with US privacy law differencesExplains the GDPR's regulatory approach for personal data

This study addresses the challenge of operationalizing GDPR compliance in software engineering—specifically, how to realize “Privacy by Design” (PbD) at the requirements and system specification levels while reconciling heterogeneous stakeholder interests and ensuring semantic consistency and traceability between legal provisions and technical specifications. We propose a formal modeling approach grounded in original legal concepts, systematically mapping GDPR articles to reusable privacy requirement patterns. Integrating systematic literature analysis, industry interviews, and requirements modeling, we develop a joint specification framework supporting cross-layer abstraction and transparent, bidirectional traceability. Empirical evaluation demonstrates that the framework significantly improves the accuracy of privacy requirement elicitation and the transparency of regulatory specification, thereby providing a scalable, methodology-driven foundation for law–technology co-governance.

Aligning GDPR requirements with software engineering specificationsBridging problem-solution space gap in privacy by designCapturing legal knowledge in system specifications for compliance

Understanding issues related to personal data and data protection in open source projects on GitHub

Apr 13, 2023
AH
Anne Hennig
🏛️ Karlsruhe Institute of Technology | University of Passau | IT University of Copenhagen | University of Southern Denmark

This study investigates how data protection regulations (e.g., GDPR, CCPA) impact open-source software (OSS) development practices, focusing on the reporting, discussion, and resolution of personal-data-related issues in GitHub projects. Using an exploratory empirical approach—combining inductive thematic coding, annotating reporter roles and issue states, and conducting relevance-based statistical analysis—the authors systematically identify six recurrent categories of data protection issues. Results show that such issues are predominantly reported by non-core contributors; resolution rates are low and rely heavily on non-technical negotiation rather than code-level fixes; and a structural tension exists between regulatory compliance requirements and OSS development culture. This work is the first to empirically demonstrate how data protection obligations are substantively embedded within OSS development workflows, thereby bridging regulatory compliance and OSS engineering practice. It provides foundational evidence and design insights for developing compliance-aware open-source governance mechanisms.

Analyzing developer reactions and resolutions to data protection issuesExamining data protection regulations' impact on software development processesIdentifying who reports and discusses personal data issues in GitHub projects

Latest Papers

What's happening recently
View more

This study addresses the prevailing Eurocentric bias in digital privacy research, which has predominantly focused on regulations like the GDPR while overlooking user concerns and compliance variations across diverse global legal regimes. To bridge this gap, the authors propose a unified abstract framework grounded in the data lifecycle, enabling formal mapping of heterogeneous privacy laws from multiple jurisdictions onto a common structure through legal text analysis and cross-jurisdictional norm alignment. This approach constitutes the first systematic effort to model global privacy compliance beyond GDPR-centrism. By offering actionable guidance for multinational organizations and facilitating privacy-by-design practices adaptable to pluralistic legal environments, the framework significantly broadens both the theoretical scope and practical applicability of privacy research.

data protectiondigital privacyGDPR

This work addresses the limitations of existing data governance tools, which struggle to dynamically adapt to emerging regulations such as India’s Digital Personal Data Protection (DPDP) Act and often lack transparency and explainability, leading to inadequate compliance. To bridge this gap, the paper introduces the first goal-driven agent framework specifically designed for data compliance. The framework integrates a KYU Agent and a Compliance Agent that jointly leverage semantic understanding, user trust modeling, and data sensitivity reasoning, embedding regulatory logic directly into the system to ensure auditable and interpretable decisions. It incorporates anonymization strategies—including masking, pseudonymization, and generalization—and demonstrates significant improvements in DPDP compliance across ten domains, including healthcare, education, and e-commerce, enabling transparent, efficient, and cross-domain adaptive data governance.

compliancedata governanceDPDP Act

This study addresses the widespread lack of compliance disclosures regarding data privacy regulations—such as GDPR and CCPA—in AI datasets hosted on the Hugging Face platform, which poses significant regulatory risks. For the first time, the paper introduces “compliance readiness” as a core dimension of dataset quality and systematically evaluates transparency in data provenance, processing workflows, and handling of sensitive information. Through an analysis of 11,682 public datasets—combining automated text mining of dataset cards with manual sampling and review—the research reveals that the vast majority fail to clearly document their creation processes or data sources, and only a small fraction explicitly identify sensitive fields such as personally identifiable information (PII). These findings highlight critical gaps in current practices and provide an empirical foundation for developing standardized tools and benchmarks for assessing dataset compliance.

AI supply chaindata privacydataset transparency

Breaking the illusion: Automated Reasoning of GDPR Consent Violations

Dec 28, 2025
YL
Ying Li
🏛️ University of California, Los Angeles | University of Toronto | University of Texas at Arlington | in2it

Current automated auditing tools for GDPR/CCPA compliance lack systematic support for diverse web-based consent forms—extending beyond cookie banners—to verify core legal requirements such as freedom of choice, purpose specification, and ease of withdrawal. Method: This paper introduces Cosmic, the first end-to-end automated framework for detecting GDPR consent violations across heterogeneous web forms. Cosmic integrates DOM parsing, OCR-enhanced form recognition, legal semantic modeling, and structured joint reasoning over form elements to enable interpretable, requirement-specific validation. Contribution/Results: Evaluated on 5,823 websites and 3,598 consent forms, Cosmic achieves a true positive rate (TPR) of 98.6% for consent-form detection and 99.1% for violation identification, covering 94.1% of identified consent forms and detecting 3,384 distinct violations. Cosmic fills a critical gap in form-level consent auditing and establishes a novel paradigm for automated, explainable privacy compliance assessment.

Addressing the gap between legal requirements and actual implementationAutomated detection of GDPR consent violations in web formsEvaluating consent compliance across diverse and complex web forms

This work addresses the error-prone and labor-intensive process of manually translating regulatory texts such as the GDPR and the EU AI Act into actionable software requirements. The authors propose Reg2Req, the first end-to-end automated pipeline that leverages natural language processing to identify regulatory provisions, generate system-agnostic software requirements accompanied by plain-language explanations, and establish traceability links. The approach supports requirement classification, use case seed generation, and cross-reference analysis, achieving macro-averaged F1 scores of 0.82 on the GDPR and 0.78 on the EU AI Act. A user study demonstrates that the generated plain-language explanations significantly enhance users’ comprehension and confidence in taking compliance actions (p < 0.001), with all participants expressing willingness to adopt the output as a starting point for compliance efforts.

AI regulationlegal text processingregulatory compliance

Hot Scholars

FJ

Frederik J. Zuiderveen Borgesius

Professor ICT and Law, iHub, Radboud University, The Netherlands
Law and technologyprivacydata protection lawnon-discrimination law
JS

Jose Such

Research Professor, Spanish National Research Council (CSIC)
Privacy & SecurityArtificial IntelligenceHuman-Computer Interaction
RA

Ruba Abu-Salma

Senior Lecturer (~Associate Professor) in Computer Science, King’s College London
Cybersecurityprivacy-enhancing technologies (PETs)HCIusable security and privacy
GT

Gene Tsudik

Peter & Lois Griffin Professor, Jolly Good Fellow of This & That
securitycryptographycomputer securityprivacy
SZ

Sebastian Zimmeck

Associate Professor of Computer Science, Wesleyan University
Internet PrivacyPrivacy-enhancing TechnologiesGlobal Privacy ControlPrivacy Law